Why your airline miles are easy theft targets

CHICAGO (MarketWatch)—In the latest scam on consumers, cyber crooks are using emails and other tactics to phish for your airline miles, using them on hotels, cars and merchandise.

“When people have hundreds of thousands of miles, that’s like having money in the bank,” said George Hobica, founder of AirFareWatchdog.com, a travel site. “Consumers need to treat these accounts like they would their bank accounts or any other important account,” he said.

Many times consumers don’t even know they’ve been bilked out of their miles until they try to redeem them. This spring a Chicago couple discovered that the 175,000 miles they thought they had in their United Airlines account had been stripped down to 12,000. The airlines told them that the miles had been used for a trip to Singapore — which the couple had not taken.

“The frequent flier miles scams are part of a larger ‘malicious traveler’ campaign where cyber criminals send fraudulent emails (posing) as airline companies or hotels reservations,” said Kurt Baumgartner, a senior security researcher with Kaspersky Lab, which produces antivirus software.

Here’s what happens: You get an email from a trusted source, like an airline or travel site or travel agent, notifying you that you have won more miles or confirming a charge for a flight or hotel stay that you did not book.

In one scam this summer, consumers received letters either by fax or through emails with the familiar American Airlines and United Airlines logos, claiming the recipients won two round-trip tickets, according to the Better Business Bureau.

The letters, most of which appeared to come from a Phoenix address, looked much like this:

“NOTE: You must respond no later than XXXX.

“Dear XXXX,

“I am pleased to inform you that you have qualified for an award of 2 roundtrip airline tickets. Congratulations. These tickets are valid for travel anywhere in the Continental U.S. from any major international airport. The retail value of this award is up to $1,298.00. Certain restrictions apply. We have attempted contacting you several times without success. This is our last attempt. If we do not hear from you soon, we may need to issue the ticket vouchers to the alternate.

“Please call me today at ... etc.”

When consumers call or follow the links to redeem these so-called “awards” they can be asked a number of questions, which include an airlines account number and a request for personal information.

Some phishing attacks will include a fake confirmation number or ask you to change your account information.

The bad guys then take this information and sell it to other crooks or to unsuspecting consumers.

International airlines also are being used in the scams, Baumgartner said. In a massive mailing that went earlier this summer, British Airways consumers were hit with phishing emails.

Another mass mailing in Europe was purported to come from booking.com with fake confirmation numbers. It can be tough to tell initially if these are fakes, so it’s important to look very carefully at the information. In the emails with the American and United airlines’ logo, the body of the note called the carrier US Airlines, which, of course, doesn’t exist.

In the British Airways email, if you had scrolled over the link it was clear it was a fake.

The scammers aren’t just looking to redeem your miles, they want to take control of your computer and install software that can download malware that might log keystrokes or follow your online steps to your bank account.

“Malware writers spoof a variety of trusted brands — including different airlines — to trick people into opening malicious email attachments and clicking booby-trapped links,” said Brian Krebs, who hosts a popular blog on cyber crimes called KrebsonSecurity.com.

The most ubiquitous malware can be found with the .exe extension that’s inside of a zip file. “In some cases, people may not notice or see the .exe extension on the file or they may not understand what an .exe file can do,” Krebs said. “In the case of emailed malicious links, they generally link to hacked sites that use browser vulnerabilities to silently download malware.”

Here are some things you should be looking for:

Never give out personal information. Legitimate companies never ask for that stuff. “We would never ask you to perform security-related changes to your account or send you an email asking about your user name, password or other personal information,” the US Airways scam alert states. “If you receive a suspicious email, do not click on any links or open any attachments, Just delete it.”

Be suspicious of generic email greetings. Many phishing emails begin with something generic like “Dear User” or “Dear Customer” or even just “Dear,” according to American Airlines’ warnings.

Look carefully at the sender’s email address and keep an eye out for typos or poor grammar. Phishing emails typically have those so as not to be blocked by security.

Be wary of links. Scroll over the link to see where it’s sending you. Go directly to the sender’s site if you’re unsure.

Don’t let false claims throw you off. That’s the magnet for many phishing emails that then ask you to update or validate your account by clicking on an embedded link.

Don’t be rushed. Some phishing emails will have you believing that your account will disappear or that great deals will go away if you don’t respond immediately.

Change your account passwords or PINs frequently, and treat these accounts like you would other important accounts. “Secure your frequent flier membership numbers and passwords and do not give (them) out to anyone without a direct need to have this information,” said Tom Joyce, spokesman for the BBB in Chicago.

Mortgage Rates

Powered by

This advertisement is provided by Bankrate, which compiles rate data from more than 4,800 financial institutions. Bankrate is paid by financial institutions whenever users click on display advertisements or on rate table listings enhanced with features like logos, navigation links, and toll free numbers. Dow Jones receives a share of these revenues when users click on a paid placement.

Intraday Data provided by SIX Financial Information and subject to terms of use.
Historical and current end-of-day data provided by SIX Financial Information.
All quotes are in local exchange time. Real-time last sale data for U.S. stock quotes reflect trades reported through Nasdaq only.
Intraday data delayed at least 15 minutes or per exchange requirements.